After having dabbled in Gentoo Linux for years, I finally decided I was tired of dealing with the regularly-occurring broken packages and dependencies, out-of-date software, and distro-breaking structure changes. I am now diving headfirst into Ubuntu Linux 16.04.1, in an effort to set up a household appliance system that “just works”. However, I have found that Ubuntu doesn’t automate nearly as much of the setup as I had hoped, and so this is my log of steps I have followed to get my system working as intended, so that I can re-create them when and where necessary.

Beginning with a bare install of Ubuntu Server with openssh enabled.

System Configuration:

  • /etc/lvm/lvm.conf
    • snapshot_autoextend_threshold = 75 # This enables thin snapshots
  • /root/bin/snapshot
    lvcreate -L1G -s -n "root-"$(date +"%Y%m%d-%H%M") vg0/root
  • /etc/default/grub
  • dpkg-reconfigure unattended-upgrades
    • /etc/apt/apt.conf.d/50unattended-upgrades
      Unattended-Upgrade::Remove-Unused-Dependencies "true";
  • /etc/sysctl.conf // Using an SSD, so I want to minimize swap usage
  • systemctl edit getty@tty1 // Don’t wipe boot messages off screen at login

System utilities:

  • apt install htop
  • apt purge btrfs-tools // I am running ZFS RAID for the time being.
  • apt purge mdadm // I am running ZFS RAID for the time being.
  • apt purge apport # Crash reporter
  • apt purge bluez bluez-cups bluez-obexd libgnome-bluetooth13 # bluetooth
  • apt purge rfkill # Wireless devices management tool
  • apt purge colord # color profile daemon for photo viewers
  • apt purge lxd lxd-client lxcfs lxc # virtual VMs
  • apt purge snapd ubuntu-core-launcher squashfs-tools # Ubuntu’s snapd
  • apt purge signond ibus # Pulls KDE as dependencies, not really needed.
  • apt install p7zip-full
  • apt install sqlite3 // needed for fail2ban scripts
  • apt install apcupsd # UPS Battery monitor
    •  apt install apcupsd-cgi (if using with a httpd)
    • /etc/apcupsd/apcupsd.conf
      UPSCABLE usb
      UPSTYPE usb


  • apt install ssmtp # This is needed for administrative emails (i.e. for smartmontools)
    • mailhub=mailserver:587
    • AuthPass=mypassword
  • dpkg -i powerpanel_132_amd64.deb # CyberPower PowerPanel
    • /etc/sudoers
      www-data ALL=(ALL) NOPASSWD: /usr/sbin/pwrstat -status
  • apt install lm-sensors
  • apt install hddtemp
  • iscan-data iscan iscan-plugin-gt-x770 # Scanner packages,
    may need to be downloaded
  • hll2305lpr-3.2.0-1.i386.deb hhll2305cupswrapper-3.2.0-1.i386.deb # Printer packages, may need to be downloaded

Networking configuration:

  • apt purge network-manager # We do this like real men.
  • /etc/udev/rules.d/10-network.rules # Persistent network interface names
    SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="74:27:ea:da:85:14", ATTR{dev_id}=="0x0", ATTR{type}=="1", NAME="eth_onboard"
    SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0a:cd:20:13:61", ATTR{dev_id}=="0x0", ATTR{type}=="1", NAME="eth_discreet"
  • apt-get install bridge-utils
  • /etc/network/interfaces # Setting up a bridge here for use with OpenVPN
    auto eth_onboard
    iface eth_onboard inet dhcp
    auto br0
    iface br0 inet static
    bridge_ports eth_discreet
    iface eth_discreet inet manual
    up ip link set $IFACE up promisc on
    down ip link set $IFACE down promisc off
  • /etc/default/grub
    • update-grub

Networking service software:

  • apt install vsftpd
    • chmod -R g+s /srv/ftp
    • /etc/shells
    • find /srv/ftp/ -type f -exec chmod 644 {} \;
    • find /srv/ftp/ -type d -exec chmod 775 {} \;
  • apt install transmission-daemon
    • gpasswd -a debian-transmission ftp
  • apt install samba
    interfaces = # eth0
    hosts allow =
    comment = Home Directories
    browseable = no
    read only = no
    comment = Public Files
    browseable = yes
    guest ok = yes
    path = /srv/ftp
    public = yes
    writable = yes
    guest account = ftp
    force user = ftp
    create mask = 0644
    directory mask = 0755
  • apt install openvpn
    • /etc/openvpn/server.conf
      • comment out local hostname
  • apt install apache2
    • apt install libapache2-mod-php
    • a2enmod cgi
    • set apache port to 8080 and 80 (COX internet blocks port 80)
    • setup, configure, and update website at /var/www/html
    • chmod -R www-data:www-data /var/www
    • apache2.conf # Enable .htaccess
      AllowOverride All
      • a2enmod rewrite
    • a2enmod proxy_http # reverse proxy
  • apt install php-curl php-xml //for (my private) transmission rss script
  • apt install fail2ban
  • Firewall/QOS

Router configuration:

  • apt install dnsmasq
    • /etc/dnsmasq.conf
  • apt install mysql-server
    • mysql_secure_installation
    • /etc/mysql/my.cnf // This edit is only for ZFS
    • apt install phpmyadmin
    • ln -s /etc/phpmyadmin/apache.conf /etc/apache2/conf-enabled/phpmyadmin.conf
  • apt install ntopng
    • /etc/ntopng.conf
      -B=not((src net and (dst net
  • add-apt-repository ppa:notartom/squid-ssl # Squid with SSL support
    • apt update
    • apt install squidguard # caching proxy with URL filtering
    • Set up Squid certificate
      • mkdir /etc/squid/ssl_cert
      • openssl genrsa -aes256 -out ca-key.pem 2048
      • openssl req -x509 -new -nodes -extensions v3_ca -key ca-key.pem -days 36500 -out ca-root.pem -sha512 # ca-root.pem # This is the file to distribute for CA installation
      • openssl pkcs12 -inkey ca-key.pem -in ca-root.pem -export -out shanock.pfx # This is the file to distribute for CA installation
    • /etc/apt/preferences.d/priority-squid
      Package: *
      Pin: release o=LP-PPA-notartom-squid-ssl
      Pin-Priority: 1000 a=xenial,n=xenial,l=Squid
    • /etc/squid/squid.conf
      url_rewrite_program /usr/bin/squidGuard
      maximum_object_size 4096 MB
      http_port 3128 transparent
      # Use the following for transparent HTTPS in conjunction with appropriate FireQOS config
      #https_port cert=/etc/squid/ssl_cert/ca-root.pem key=/etc/squid/ssl_cert/ca-key.pem ssl-bump intercept generate-host-certificates=on version=1 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
      # Use the following for explicit HTTPS
      http_port cert=/etc/squid/ssl_cert/ca-root.pem key=/etc/squid/ssl_cert/ca-key.pem ssl-bump intercept generate-host-certificates=on version=1 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
      # This is for exclusion lists
      acl DiscoverSNIHost at_step SslBump1
      acl NoSSLIntercept ssl::server_name_regex -i "/etc/squid/url.nobump"
      ssl_bump splice NoSSLIntercept
      ssl_bump peek DiscoverSNIHost
      ssl_bump stare all
      ssl_bump bump all
      acl localnet src
      http_access allow localnet
      cache_dir ufs /var/spool/squid 65536 16 256
      dns_v4_first on
      coredump_dir /var/spool/squid
      refresh_pattern ^ftp: 1440 20% 10080
      refresh_pattern ^gopher: 1440 0% 1440
      refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
      refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000 override-expire ignore-no-cache ignore-no-store ignore-private
      refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|gz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
      refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
      refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
      refresh_pattern -i* 10080 90% 43200
      refresh_pattern -i* 10080 90% 43200
      refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
      refresh_pattern . 0 40% 40320
    • /etc/squid/url.nobump
    • squid3 -z # Creates cache directories
    • Extract lists from to /var/lib/squidguard/db
    • /etc/squidguard/squidGuard.conf
      dest adv {
      	domainlist BL/adv/domains
      	urllist BL/adv/urls
      dest costtraps {
      	domainlist BL/costtraps/domains
      	urllist BL/costtraps/urls
      dest spyware {
      	domainlist BL/spyware/domains
      	urllist BL/spyware/urls
      dest tracker {
      	domainlist BL/tracker/domains
      	urllist BL/tracker/urls
      acl {
      	default {
      		pass !adv !costtraps !spyware !tracker all
    • Firewall/QOS


  • apt install lubuntu-core # Lubuntu desktop without all the bloat
  • apt install x11vnc
    • /lib/systemd/system/x11vnc.service
      Description=Start x11vnc at startup.
      ExecStart=/usr/bin/x11vnc -nopw --auth guess -forever -loop -noxdamage -repeat -rfbport 5900 -shared
    • systemctl enable x11vnc.service
  • apt install xrdp
    • echo lxsession >~/.xsession
    • echo lxsession >/etc/skel/.xsession
    • /etc/xrdp/xrdp.ini

GUI Software

  • apt purge xvt
  • apt install xterm # Lightweight terminal
    • ~/.Xresources
      xterm*foreground: Gray
      xterm*ScrollBar: true
      xterm*savelines: 1024
      xterm*rightScrollBar: true
  • apt purge byobu
  • apt purge vim
  • apt purge gnome-screenshot
  • apt install diffuse # Graphical diff
  • apt install gedit # Text editor
  • apt install chromium-browser # Web browser
  • apt install lightdm-gtk-greeter-settings # For setting login screen wallpaper
  • apt install software-properties-gtk # Installs some mystery “unknown: unknown” driver, no idea what for

HTPC Software/Configuration

  • Fix tearing on Intel cards. May cause screen artifacts.
    • apt install mesa-utils
    • /etc/X11/xorg.conf.d/20-intel.conf
      Section "Device"
              Identifier "Intel Graphics"
              Driver "intel"
              Option "TearFree" "true"
  • apt install gnome-mplayer
  • apt install pithos
  • apt install pavucontrol
  • System-wide pulse control
    • /etc/pulse/client.conf
      default-server =
    • /etc/pulse/ # Set HDMI as default sink
      set-card-profile 0 output:hdmi-stereo
    • /etc/pulse/ # Network streaming sink (find ‘source’ with ‘pactl list sources short’)
      load-module module-null-sink sink_name=kitchen
      load-module module-native-protocol-tcp auth-ip-acl=; auth-anonymous=1
      load-module module-simple-protocol-tcp rate=48000 format=s16le channels=2 source=kitchen.monitor record=true
    • /etc/systemd/system/pulseaudio.service
      Description=PulseAudio system server
      ExecStart=/usr/bin/pulseaudio --system --realtime --disallow-exit --no-cpu-limit -vvvv --log-target=journal
      ExecStop=/usr/bin/pulseaudio -k
    • This also sets up a network stream for the ‘null’ sink. Access with Android using Simple Protocol Player to port 4711
  • Pulse Equalizer
    • add-apt-repository ppa:nilarimogard/webupd8
    • apt-get install pulseaudio-equalizer
    • /etc/X11/xorg.conf.d/20-intel.conf
      load-module module-detect tsched=0
  • Sound card fixes
    • amixer default card /usr/share/alsa/alsa.conf
      defaults.ctl.card 0
      defaults.pcm.card 0
    • Multimedia keys ~/.config/openbox/lxde-rc.xml
      pactl set-sink-volume "@DEFAULT_SINK@" +3%
      pactl set-sink-volume "@DEFAULT_SINK@" -3%
      amixer -q sset PCM Toggle
  • Configure a guest session for HTPC access:
    • create account guest-prefs
    • ln -s /home/guest-prefs /etc/guest-session/skel
    • /etc/apparmor.d/abstractions/lightdm # Allows guest accounts to access the NAS media files
      /srv/ftp/** rmix,
      /srv/ftp/ rmix,
    • set a wallpaper for guest session
    • apt purge gnome-screensaver # Screensaver locks out the guest account
    • apt purge xscreensaver
    • apt purge xscreensaver-data
    • apt install xfce4-power-manager
      • set guest session screen blanking
    • /usr/share/polkit-1# gedit actions/org.freedesktop.login1.policy # Stops guest users from being able to shutdown/reboot the computer
      Do the following for all actions that need admin approval:

      <action id="org.freedesktop.login1.power-off">

Virtual Machine Host:

  • apt install qemu virt-manager qemu-efi ovmf [headless: -virt-manager +qemu-kvm +virtinst +bridge-utils]
  • gpasswd -a username libvirtd
  • setfacl -Rm u:libvirt-qemu:rwX,d:u:libvirt-qemu:rwX image_directory/


  • Diagnose startup service failures: systemctl –state=failed     service [service] status
  • /etc/pulse/ // fix pulseaudio not working after a while
    #load-module module-switch-on-port-available
  • systemctl edit ntopng # fix bug, ntopng requres redis-server
  • systemctl edit squid # fix bug, squid starts before zfs mounts

  • /etc/lightdm/lightdm-gtk-greeter.conf # fix high LightDM CPU usage
  • Crontab: @reboot /usr/sbin/service squid start
  • systemctl daemon-reload

To Do:

update-initramfs -c -k all

  • fix guest session can switch user
  • fix PID error on guest logon “No session for pid XXXXX”
    • doesn’t work
    • /etc/apparmor.d/lightdm-guest-session:
    • /etc/xdg/lxsession/Lubuntu/* cx,
  • fix error connecting on xrdp logon
  • fix guest “failed to start session”
  • tweak resolution
  • vsftpd anonymous login/write